Voice over Internet Protocol, or VoIP, is an emerging service by which a telephone or voice call can be routed over a packet switched network, such as the Internet. Many protocols have been developed to facilitate VoIP, one such protocol being a Session Initiation Protocol (SIP). SIP generally works in concert with several other protocols and mainly provides for the call set-up and signaling portion of a VoIP call. That is, SIP is responsible for setting up and tearing down a session over which the VoIP call occurs, not for the actual transmission of call data over the session. Other protocols, such as Session Description Protocol (SDP) and the Real-time Transport Protocol (RTP), are typically employed for describing, packaging and transmitting the call data.
Typically, SIP-enabled telephony networks include a number of SIP clients or devices coupled to a SIP proxy server. One feature offered by the proxy server enables a SIP device to register its current location, e.g., an IP address and port currently assigned to the SIP device, so that the proxy server can properly forward any SIP packets designated for the SIP device to that registered location. This registration feature, therefore, enables SIP devices, such as a SIP-enabled cellular phone, to roam among various IP networks and still receive VoIP calls. Frequently, two SIP proxy servers couple to one another and form what may be referred to as a “SIP trunk.” Often SIP trunks arise when one proxy server resides within a private network, such as an enterprise network, and the other proxy server resides within a public network, such as the Internet.
The private network may insert a firewall or other network security device between the two proxy servers to secure the private network from attacks originating within the public network. The firewall ensures security by blocking all but a select few IP address/port pairs. The chosen IP addresses/port pairs can be seen as small, restrictive holes, which are commonly referred to as “pinholes.” Typically, each pinhole defines a public IP address/port pair and a private IP address/port pair. The public IP address/port pair indicates an IP address/port pair assigned to a device that resides in the public network from which the firewall accepts traffic. The private IP address/port pair indicates an IP address/port assigned to a device that resides in the private network to which the firewall permits traffic to flow. To enable SIP communications occurring over the SIP trunk to flow between the public and private networks, the firewall therefore opens at least one pinhole.
However, these pinholes are often coarsely defined because only the proxy servers know the IP address/port pairs, i.e., location, of the SIP devices to which the proxies couple. That is, the public proxy server knows the locations of the public SIP devices but not the private SIP devices and vice versa. Thus, the firewall cannot adequately define the public address/port pairs of the pinhole and must set this pair to allow any IP address and any port. This may create substantial security risks, as any public device may now access the private network through the broad pinhole. Further, because the private proxy server initiates all SIP requests for a new VoIP call for devices in the private network, the private IP address/port pair of the pinhole is set to the IP address/port pair of the initiating proxy server. Upon receiving subsequent SIP requests from the private proxy server, the firewall may return the same pinhole previously opened for use by the proxy server. Two or more calls may therefore proceed through the firewall via the same pinhole without being distinguished as separate traffic flows. Indistinguishable flows may lead to poor use of firewall resources as some of these resources may be needlessly allocated to flows of calls that are complete but cannot be distinguished as complete because the separate call flows are viewed as one by the firewall.